Additional Materials:

Contact:

In response to a congressional request, GAO reviewed the Veterans Administration's (VA) Decentralized Hospital Computer Program (DHCP) system, which services 172 medical centers, to determine: (1) the status of the decentralized system; (2) VA effectiveness in managing the system's development and implementation; and (3) the possibility of using three commercial systems VA tested as alternatives to the decentralized system.

GAO found that: (1) the DHCP system did not adequately safeguard patient records from inaccurate data entry, unauthorized changes, or destruction, and permitted the creation of multiple patient records; (2) VA is planning a multimillion-dollar expansion of the system without an adequate analysis to determine the most cost-effective approach; and (3) although the test of three commercial systems does not provide an appropriate basis for comparison with the DHCP system, VA believes they are too expensive and are not viable alternatives.

Recommendations for Executive Action

Status: Closed - Implemented

Comments: VA issued policy on software development controls, risk analysis, and contingency plans in October 1987. VA implemented an interim policy and began holding its management office accountable for it in February 1987.

Recommendation: The Administrator of Veterans Affairs should report the lack of sufficient software development controls and continue to report the lack of risk analyses and contingency plans as material control weaknesses under the Federal Managers' Financial Integrity Act until: (1) appropriate software development controls have been implemented; (2) risk analyses, as well as needed corrected action identified by such analyses, have been completed for all computer centers; and (3) contingency plans have been developed, certified, and tested.

Recommendation: The Administrator of Veterans Affairs should hold the Management Office accountable for ensuring that the existing and expanded DHCP system is effectively managed and adequately protected. At a minimum, this office should: (1) institute procedures to collect work-load and cost-benefit data on prototype modules at test sites; (2) implement controls to ensure that software is adequately tested, documented, and approved, and that software and hardware problems are systematically tracked and corrected; (3) implement appropriate internal controls to protect data, equipment, and facilities as required in Office of Management and Budget Circular A-130; (4) issue a policy to restrict release of DHCP software under the Freedom of Information Act; (5) ensure that the data requirements are defined and incorporated in the DHCP modules so that the data can be efficiently assessed by system users; and (6) establish policies and procedures for regular system monitoring and assessment.